Inconsistent auth keys on macOS, Windows, Linux

[AaronFriel]

Steps to reproduce

1. Authenticate to third party registries via the mechanism they recommend, i.e.:

# Amazon AWS Elastic Container Registry:
aws ecr get-login-password --region $region | docker login --username AWS --password-stdin $registryName

# Microsoft Azure Container Registry:
az acr login --name $registryName

# Google Cloud Container Registry
gcloud auth configure-docker

# GitHub Container Registry
echo $personalToken | docker login ghcr.io -u USERNAME --password-stdin

2. Use either the Docker Go SDK or the credential helper CLI to output credential info

In Go:

func getCredentials() (map[string]clitypes.AuthConfig, error) {
	creds, err := config.Load(config.Dir())
	if err != nil {
		return nil, err
	}
	creds.CredentialsStore = credentials.DetectDefaultStore(creds.CredentialsStore)
	auths, err := creds.GetAllCredentials()
	if err != nil {
		return nil, err
	}
	return auths, nil
}

Via CLI:

docker-credential-desktop list

3. Attempt to push an image by looking up the auth configuration in the map:

pushAuthConfig = authConfigs[registryServer]

authConfigBytes, err := json.Marshal(pushAuthConfig)
if err != nil {
	return "", nil, fmt.Errorf("error parsing authConfig: %v", err)
}
authConfigEncoded := base64.URLEncoding.EncodeToString(authConfigBytes)

pushOpts := types.ImagePushOptions{RegistryAuth: authConfigEncoded}

pushOutput, err := docker.ImagePush(ctx, img.Name, pushOpts)

Expected behavior

Auth configuration entries should be consistent across platforms, the push succeeds if the authentication is valid and present.

Actual behavior

On some platforms, all auth entries are prefixed with a scheme (https://), on others, only the legacy Docker registry server configuration is.

# macOS:
map[string]types.AuthConfig{
		"https://[redacted].dkr.ecr.us-west-2.amazonaws.com": ...
		"https://ghcr.io/": ...
		"https://index.docker.io/v1/": ...
		"https://registry-1.docker.io/": ...
		"https://[redacted].azurecr.io": ...
})

# Linux and Windows:
map[string]types.AuthConfig{
		"[redacted].dkr.ecr.us-west-2.amazonaws.com": ...
		"ghcr.io": ...
		"https://index.docker.io/v1/": ...
		"registry-1.docker.io": ...
		"[redacted].azurecr.io": ...
})

[shizhMSFT]

What CLI or SDK versions are you using for macOS?

[AaronFriel]

@shizhMSFT I think this would have been the latest CLI as of the date of the posting - 20.10.x? - that ships with Docker Desktop for those platforms.

Regardless, for oras-credentials-go, we should expect to need to handle https:// and non-https:// output.

[thaJeztah]

Hm.. I recall some change that was made (long time ago), which seems like that may be related;

• Fix storing URLs without scheme #72

[thaJeztah]

Looks like there's a related ticket with some discussion in the cli repository (and links to related changes). I'd have to dig up the full history of some of that 😞 (I do know there's quite some confusing code paths in this area related to backward compatibility, but perhaps some of that is no longer needed).

• Protocol should not be stripped out of the registry URL on login cli#190

[shizhMSFT]

@shizhMSFT I think this would have been the latest CLI as of the date of the posting - 20.10.x? - that ships with Docker Desktop for those platforms.

Regardless, for oras-credentials-go, we should expect to need to handle https:// and non-https:// output.

I've tested using my M1 mac (docker desktop 20.10.24). The docker credential helper on macOS behaves the same as Windows and Linux.

off the topic: the goal of oras-credentials-go is to be compatible with the latest docker versions. stay tuned.